0ab68923f3f6c5c494e564508b648e5ece02957dd84a7a9f186975e775aef959

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Size

372KB
MD5

76584f45934fbbc5ee094bd3abbf8f32
SHA1

4729c85f4288d08c10f3e86e27294bd7a2fc888f
SHA256

0ab68923f3f6c5c494e564508b648e5ece02957dd84a7a9f186975e775aef959
SHA512

59c7b121f0b589560ab8f25b98fda1cc26fc76e17a4b3bd364ea0f3475223e4b3619c926cada705b7f25a59fa90efce336fcfaa42a81be9e0123e733121c4a0f
SSDEEP

3072:CEGh0oMmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGvl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}\stubpath = "C:\\Windows\\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe"	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}\stubpath = "C:\\Windows\\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe"	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DB1EBE-E630-463b-9357-CEA2156B1F94}\stubpath = "C:\\Windows\\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe"	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}\stubpath = "C:\\Windows\\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe"	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFDB7EE-6FA1-4252-B184-1825425A226F}\stubpath = "C:\\Windows\\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe"	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}\stubpath = "C:\\Windows\\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe"	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}	{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}\stubpath = "C:\\Windows\\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe"	{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89010139-F841-4faa-8B1A-9D811C2ED99B}	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89010139-F841-4faa-8B1A-9D811C2ED99B}\stubpath = "C:\\Windows\\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe"	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}\stubpath = "C:\\Windows\\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe"	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}\stubpath = "C:\\Windows\\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe"	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}\stubpath = "C:\\Windows\\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe"	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DB1EBE-E630-463b-9357-CEA2156B1F94}	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFDB7EE-6FA1-4252-B184-1825425A226F}	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}\stubpath = "C:\\Windows\\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe"	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe

Executes dropped EXE 12 IoCs

pid	Process
3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
652	{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
764	{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
File created	C:\Windows\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
File created	C:\Windows\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
File created	C:\Windows\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
File created	C:\Windows\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
File created	C:\Windows\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
File created	C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
File created	C:\Windows\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
File created	C:\Windows\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
File created	C:\Windows\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
File created	C:\Windows\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe	{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
File created	C:\Windows\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
Token: SeIncBasePriorityPrivilege	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
Token: SeIncBasePriorityPrivilege	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
Token: SeIncBasePriorityPrivilege	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
Token: SeIncBasePriorityPrivilege	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
Token: SeIncBasePriorityPrivilege	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
Token: SeIncBasePriorityPrivilege	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
Token: SeIncBasePriorityPrivilege	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
Token: SeIncBasePriorityPrivilege	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
Token: SeIncBasePriorityPrivilege	2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
Token: SeIncBasePriorityPrivilege	652	{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3004	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	90
PID 3992 wrote to memory of 3004	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	90
PID 3992 wrote to memory of 3004	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	90
PID 3992 wrote to memory of 3896	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	91
PID 3992 wrote to memory of 3896	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	91
PID 3992 wrote to memory of 3896	3992	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	91
PID 3004 wrote to memory of 4396	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	92
PID 3004 wrote to memory of 4396	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	92
PID 3004 wrote to memory of 4396	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	92
PID 3004 wrote to memory of 1652	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	93
PID 3004 wrote to memory of 1652	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	93
PID 3004 wrote to memory of 1652	3004	{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe	93
PID 4396 wrote to memory of 1352	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	96
PID 4396 wrote to memory of 1352	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	96
PID 4396 wrote to memory of 1352	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	96
PID 4396 wrote to memory of 4532	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	95
PID 4396 wrote to memory of 4532	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	95
PID 4396 wrote to memory of 4532	4396	{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe	95
PID 1352 wrote to memory of 3944	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	97
PID 1352 wrote to memory of 3944	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	97
PID 1352 wrote to memory of 3944	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	97
PID 1352 wrote to memory of 1556	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	98
PID 1352 wrote to memory of 1556	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	98
PID 1352 wrote to memory of 1556	1352	{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe	98
PID 3944 wrote to memory of 1372	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	99
PID 3944 wrote to memory of 1372	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	99
PID 3944 wrote to memory of 1372	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	99
PID 3944 wrote to memory of 4368	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	100
PID 3944 wrote to memory of 4368	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	100
PID 3944 wrote to memory of 4368	3944	{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe	100
PID 1372 wrote to memory of 644	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	101
PID 1372 wrote to memory of 644	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	101
PID 1372 wrote to memory of 644	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	101
PID 1372 wrote to memory of 1724	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	102
PID 1372 wrote to memory of 1724	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	102
PID 1372 wrote to memory of 1724	1372	{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe	102
PID 644 wrote to memory of 3112	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	103
PID 644 wrote to memory of 3112	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	103
PID 644 wrote to memory of 3112	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	103
PID 644 wrote to memory of 2860	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	104
PID 644 wrote to memory of 2860	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	104
PID 644 wrote to memory of 2860	644	{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe	104
PID 3112 wrote to memory of 3904	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	105
PID 3112 wrote to memory of 3904	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	105
PID 3112 wrote to memory of 3904	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	105
PID 3112 wrote to memory of 1464	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	106
PID 3112 wrote to memory of 1464	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	106
PID 3112 wrote to memory of 1464	3112	{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe	106
PID 3904 wrote to memory of 4084	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	108
PID 3904 wrote to memory of 4084	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	108
PID 3904 wrote to memory of 4084	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	108
PID 3904 wrote to memory of 3416	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	107
PID 3904 wrote to memory of 3416	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	107
PID 3904 wrote to memory of 3416	3904	{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe	107
PID 4084 wrote to memory of 2964	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	109
PID 4084 wrote to memory of 2964	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	109
PID 4084 wrote to memory of 2964	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	109
PID 4084 wrote to memory of 4716	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	110
PID 4084 wrote to memory of 4716	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	110
PID 4084 wrote to memory of 4716	4084	{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe	110
PID 2964 wrote to memory of 652	2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe	111
PID 2964 wrote to memory of 652	2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe	111
PID 2964 wrote to memory of 652	2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe	111
PID 2964 wrote to memory of 4272	2964	{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe	112

C:\Users\Admin\AppData\Local\Temp\76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
  C:\Windows\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
    C:\Windows\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E46~1.EXE > nul
      4⤵
      PID:4532
  - - C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
      C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
        
        C:\Windows\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
        
        C:\Windows\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
        
        C:\Windows\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
        
        C:\Windows\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
        
        C:\Windows\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFDB~1.EXE > nul
        10⤵
        
        PID:3416
        
        C:\Windows\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
        
        C:\Windows\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
        
        C:\Windows\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
        
        C:\Windows\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe
        
        C:\Windows\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe
        13⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DF57~1.EXE > nul
        13⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C91A4~1.EXE > nul
        12⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{260F4~1.EXE > nul
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A44~1.EXE > nul
        9⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89010~1.EXE > nul
        8⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03A33~1.EXE > nul
        7⤵
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38DB1~1.EXE > nul
        6⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6991A~1.EXE > nul
        5⤵
        
        PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7AE9~1.EXE > nul
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76584F~1.EXE > nul
  2⤵
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe

Filesize
372KB

MD5
c2c36a4f6392cc32ba37535631901095

SHA1
d4e3783b665f080b2508775fdfd9f0905c87be11

SHA256
a0a85bbbc73abeb57042e2c70dd5bda2fa058352969eb5e8fe74afe3f9a5d206

SHA512
083828f18d8151cfa213827cba9f89d8fa4f08596ed21d192b64a5f73fd42effafb3b954aebd96dca5feda89e668d4b9f4f317b6311f5a1b85644da199df5daf

Download Submit
C:\Windows\{03A33329-0CAE-4a86-ACF4-B064D7ABF6AE}.exe

Filesize
372KB

MD5
c2c36a4f6392cc32ba37535631901095

SHA1
d4e3783b665f080b2508775fdfd9f0905c87be11

SHA256
a0a85bbbc73abeb57042e2c70dd5bda2fa058352969eb5e8fe74afe3f9a5d206

SHA512
083828f18d8151cfa213827cba9f89d8fa4f08596ed21d192b64a5f73fd42effafb3b954aebd96dca5feda89e668d4b9f4f317b6311f5a1b85644da199df5daf

Download Submit
C:\Windows\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe

Filesize
372KB

MD5
4b2c372ef87009585033b6f84ee1b96b

SHA1
bb0253dc45f37312fba9c8130cdd8b373f2d8d8f

SHA256
1ecef4b9baf5ebef8b67c5e19d87fc801a80705cccca74b03e1ab374c4290caf

SHA512
ff10cb57e39439705a3834c54ea787a0f5ab13f71b254d8d8cc67b9ec7482bcae3a055bccba76f6591dfa8d48e4dff20a7660bead54a5ab4ec212277a555593d

Download Submit
C:\Windows\{1BFDB7EE-6FA1-4252-B184-1825425A226F}.exe

Filesize
372KB

MD5
4b2c372ef87009585033b6f84ee1b96b

SHA1
bb0253dc45f37312fba9c8130cdd8b373f2d8d8f

SHA256
1ecef4b9baf5ebef8b67c5e19d87fc801a80705cccca74b03e1ab374c4290caf

SHA512
ff10cb57e39439705a3834c54ea787a0f5ab13f71b254d8d8cc67b9ec7482bcae3a055bccba76f6591dfa8d48e4dff20a7660bead54a5ab4ec212277a555593d

Download Submit
C:\Windows\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe

Filesize
372KB

MD5
dd1ee09ea6a05ca3b08cfd400c4f9c6f

SHA1
4235ea45fe04beb1131e740fc081828b12579d58

SHA256
a0af512c72a36d351287c90e7eda2ec3bbf3d3bdf0bcf5e70d2c6dea67037299

SHA512
e686534001472429fc3c8de762ec5cf5634b2f84ccecdac83a8dab908496ff172fbcd1c9de1a93d6621b4c1373a75ed11f18a4ef3b04c10dfe0a55d18ea63178

Download Submit
C:\Windows\{260F4274-AF87-4344-B8AF-A8D2F301EBEB}.exe

Filesize
372KB

MD5
dd1ee09ea6a05ca3b08cfd400c4f9c6f

SHA1
4235ea45fe04beb1131e740fc081828b12579d58

SHA256
a0af512c72a36d351287c90e7eda2ec3bbf3d3bdf0bcf5e70d2c6dea67037299

SHA512
e686534001472429fc3c8de762ec5cf5634b2f84ccecdac83a8dab908496ff172fbcd1c9de1a93d6621b4c1373a75ed11f18a4ef3b04c10dfe0a55d18ea63178

Download Submit
C:\Windows\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe

Filesize
372KB

MD5
b5d9ed590dd4536c395ae3f48a5f6f12

SHA1
8adc47b60c908057dac61ba3a123fda17d6d7e30

SHA256
23d2367b3bf6e8a4849b6fcd644a965f237848f7a1cc918c1a224a03cb225aab

SHA512
eb8d803288f5cf0032b248372f1531b353e6899c9027875497adfc13b15462061f62205ad0228416ef02ec29c2a23125d37e412b9edb6a90f6e63d8958aa0b03

Download Submit
C:\Windows\{38DB1EBE-E630-463b-9357-CEA2156B1F94}.exe

Filesize
372KB

MD5
b5d9ed590dd4536c395ae3f48a5f6f12

SHA1
8adc47b60c908057dac61ba3a123fda17d6d7e30

SHA256
23d2367b3bf6e8a4849b6fcd644a965f237848f7a1cc918c1a224a03cb225aab

SHA512
eb8d803288f5cf0032b248372f1531b353e6899c9027875497adfc13b15462061f62205ad0228416ef02ec29c2a23125d37e412b9edb6a90f6e63d8958aa0b03

Download Submit
C:\Windows\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe

Filesize
372KB

MD5
acc6fe8ac7865fa79a55108296f74895

SHA1
5683761bf7089323133e396278db543f32c47446

SHA256
a5448cc092b8c40487626d8c489056221052856ed55cc45272bfe7f92f62e190

SHA512
4400dc8f07dda31c55b9e3d6b3f7891c658fa8c31bf476e2964b9994ad43c71ffb3d459822ce86e7a1594a99bc51022a345cd97cc84062d9a40fd22023f63fee

Download Submit
C:\Windows\{3DF57A89-D4F5-40f5-B311-F814E7405DD2}.exe

Filesize
372KB

MD5
acc6fe8ac7865fa79a55108296f74895

SHA1
5683761bf7089323133e396278db543f32c47446

SHA256
a5448cc092b8c40487626d8c489056221052856ed55cc45272bfe7f92f62e190

SHA512
4400dc8f07dda31c55b9e3d6b3f7891c658fa8c31bf476e2964b9994ad43c71ffb3d459822ce86e7a1594a99bc51022a345cd97cc84062d9a40fd22023f63fee

Download Submit
C:\Windows\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe

Filesize
372KB

MD5
84f0cdce9ccd8c87e21a54b71b6515aa

SHA1
a692b6b147f7b2f8eaa442c7d2d1a70adf955baa

SHA256
58e2b9cc2c28c373a0a7def00bbe327282de27e5481d28f08d1a0ed3bd24988e

SHA512
c42f2f4f3e45607118de8f7adc1f5449838ce031f874021ba8927529b56fdccea88227db31bedf177a006cd6398bc177c62a21743474fb6ce90013bf7edfa478

Download Submit
C:\Windows\{61A44D86-7AA7-44f8-A3F7-AAC9D24EF8C0}.exe

Filesize
372KB

MD5
84f0cdce9ccd8c87e21a54b71b6515aa

SHA1
a692b6b147f7b2f8eaa442c7d2d1a70adf955baa

SHA256
58e2b9cc2c28c373a0a7def00bbe327282de27e5481d28f08d1a0ed3bd24988e

SHA512
c42f2f4f3e45607118de8f7adc1f5449838ce031f874021ba8927529b56fdccea88227db31bedf177a006cd6398bc177c62a21743474fb6ce90013bf7edfa478

Download Submit
C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe

Filesize
372KB

MD5
7a4fc17f91698dfcb5b0fb96289c59dd

SHA1
276ce99dde887fd4ccdfa343d64ab02f99c77e7f

SHA256
8c8a0377e46543f9c05d5afabc2fd296883e3a0a2bf73a1eaf065db294a8a197

SHA512
d6277f3097762a0ede9f389417b9e337ea62d76ce9bd668a8925c00dbcc389de477684fe3208a7fe47dc961d2e41a1178c36ba191f54646f210c5556a91345c3

Download Submit
C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe

Filesize
372KB

MD5
7a4fc17f91698dfcb5b0fb96289c59dd

SHA1
276ce99dde887fd4ccdfa343d64ab02f99c77e7f

SHA256
8c8a0377e46543f9c05d5afabc2fd296883e3a0a2bf73a1eaf065db294a8a197

SHA512
d6277f3097762a0ede9f389417b9e337ea62d76ce9bd668a8925c00dbcc389de477684fe3208a7fe47dc961d2e41a1178c36ba191f54646f210c5556a91345c3

Download Submit
C:\Windows\{6991A06D-D012-4f41-9980-A97C2C5FF0B9}.exe

Filesize
372KB

MD5
7a4fc17f91698dfcb5b0fb96289c59dd

SHA1
276ce99dde887fd4ccdfa343d64ab02f99c77e7f

SHA256
8c8a0377e46543f9c05d5afabc2fd296883e3a0a2bf73a1eaf065db294a8a197

SHA512
d6277f3097762a0ede9f389417b9e337ea62d76ce9bd668a8925c00dbcc389de477684fe3208a7fe47dc961d2e41a1178c36ba191f54646f210c5556a91345c3

Download Submit
C:\Windows\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe

Filesize
372KB

MD5
589772c4aed4b8070998e9ed45c7cd5e

SHA1
01a1f3b126ecfd8b7421c03bd34aa4dacbea9b54

SHA256
452aad1732fb639b17978fcb230b4680075d3dd517fb1517259b9eb3b9c0aac4

SHA512
e5117e281cff4f36fea1e6f12ea1e7756e044f0431360853704c4a7cae7b60566be5e1b923e324db55e7f75ced0be697a49e390f613c9daf075e88cdfe8b7865

Download Submit
C:\Windows\{89010139-F841-4faa-8B1A-9D811C2ED99B}.exe

Filesize
372KB

MD5
589772c4aed4b8070998e9ed45c7cd5e

SHA1
01a1f3b126ecfd8b7421c03bd34aa4dacbea9b54

SHA256
452aad1732fb639b17978fcb230b4680075d3dd517fb1517259b9eb3b9c0aac4

SHA512
e5117e281cff4f36fea1e6f12ea1e7756e044f0431360853704c4a7cae7b60566be5e1b923e324db55e7f75ced0be697a49e390f613c9daf075e88cdfe8b7865

Download Submit
C:\Windows\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe

Filesize
372KB

MD5
bd290e1ec08f1a406e826ad4530122d0

SHA1
1f18f8801b673e0077e8390a38a2626c07297612

SHA256
a57dd0ce420fb98d1f5524e8a7a885a98b7229dea0da71b8d5895613b8e2aefd

SHA512
f9472351f1a4b381ab6a66643471dc54c021238a9eb37a18fae9bace0203ba87b4f22c61689b0651d0deab8bfe7c170484cdc7e0bd7f5e6513a2923e7f4b15e8

Download Submit
C:\Windows\{A1E46CF4-A24B-4ba3-B39F-151A35D17098}.exe

Filesize
372KB

MD5
bd290e1ec08f1a406e826ad4530122d0

SHA1
1f18f8801b673e0077e8390a38a2626c07297612

SHA256
a57dd0ce420fb98d1f5524e8a7a885a98b7229dea0da71b8d5895613b8e2aefd

SHA512
f9472351f1a4b381ab6a66643471dc54c021238a9eb37a18fae9bace0203ba87b4f22c61689b0651d0deab8bfe7c170484cdc7e0bd7f5e6513a2923e7f4b15e8

Download Submit
C:\Windows\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe

Filesize
372KB

MD5
e48c86eda63669196cc26e10520befd6

SHA1
b1613cd08ed25fbc909ae476c51a7a3ecae56ef3

SHA256
73cbe070a6f18f143b6a45d8ed2123c659185786a6e27ce86946c0999f08eb40

SHA512
472a437dcb240d6de9547c7a59e288a0d63c049682b0283bd0af76e64b5b75ae2384eda5b73ed4df622b58518faf90296b4d3aefb214222cc4cd9751ab3a54ed

Download Submit
C:\Windows\{A7AE9257-1EA8-45b1-8672-C23E603F15A1}.exe

Filesize
372KB

MD5
e48c86eda63669196cc26e10520befd6

SHA1
b1613cd08ed25fbc909ae476c51a7a3ecae56ef3

SHA256
73cbe070a6f18f143b6a45d8ed2123c659185786a6e27ce86946c0999f08eb40

SHA512
472a437dcb240d6de9547c7a59e288a0d63c049682b0283bd0af76e64b5b75ae2384eda5b73ed4df622b58518faf90296b4d3aefb214222cc4cd9751ab3a54ed

Download Submit
C:\Windows\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe

Filesize
372KB

MD5
45a9ca237a0795d0425d376a2105cea5

SHA1
78b97534bf825b4fbfd971a0753769f4d2cc341d

SHA256
ad6dd1e59011f9a06ebbe77eb028628d0b8d6e392ed824af1e3f8a0c76febd36

SHA512
a3562542503b57819eeb7e6f1c23df19e9ae8bcb7f28a0fb6be4db256384eab32f7bdea62a80f76d48780d679c45ef830102aae36c0ec15d4b3df9ea58ef5bc8

Download Submit
C:\Windows\{C91A4775-BAB1-48e5-A0C0-D076F90BC015}.exe

Filesize
372KB

MD5
45a9ca237a0795d0425d376a2105cea5

SHA1
78b97534bf825b4fbfd971a0753769f4d2cc341d

SHA256
ad6dd1e59011f9a06ebbe77eb028628d0b8d6e392ed824af1e3f8a0c76febd36

SHA512
a3562542503b57819eeb7e6f1c23df19e9ae8bcb7f28a0fb6be4db256384eab32f7bdea62a80f76d48780d679c45ef830102aae36c0ec15d4b3df9ea58ef5bc8

Download Submit
C:\Windows\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe

Filesize
372KB

MD5
fcf095abea01951d163820c9e9df2332

SHA1
bfe3c044fc63beb9d35279bb8fc825b1dfd25e22

SHA256
995ffa2d13f840a1816aa01873714e2989df201f04e3622267e279ce50a2c173

SHA512
35968ed994aca5ce725cff4d8a97db174cc4fbb4d23c79bbb1c5f7aab88a49fc4e94c9b4e4bc22c93a9cc73d2d68d9894d29fdd8d2c0a460253d4592191ac4d0

Download Submit
C:\Windows\{F5D8586E-25D6-42fa-AB6F-96F3DB92F3EE}.exe

Filesize
372KB

MD5
fcf095abea01951d163820c9e9df2332

SHA1
bfe3c044fc63beb9d35279bb8fc825b1dfd25e22

SHA256
995ffa2d13f840a1816aa01873714e2989df201f04e3622267e279ce50a2c173

SHA512
35968ed994aca5ce725cff4d8a97db174cc4fbb4d23c79bbb1c5f7aab88a49fc4e94c9b4e4bc22c93a9cc73d2d68d9894d29fdd8d2c0a460253d4592191ac4d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads